What We Can Learn from the Trident/Pegasus iOS Vulnerability

It’s been several weeks since the story broke about Trident/Pegasus and the vulnerabilities they exploited in iOS. There has certainly been a significant (although a lot less than expected) amount of conversation in the industry about these vulnerabilities, but I believe the really important conversation to have right now is less about the specific issues exposed by Trident/Pegasus, and more about the importance of having a comprehensive strategy, approach, and solution for protecting your company from this kind of threat.

This post is a recap of dozens of conversations I’ve had with our partners and customers about what we can learn from this intrusion and four actions we can all take moving forward.

What Are Pegasus & Trident?

Trident is a set of 3 vulnerabilities in iOS that can combine in a sequence that allows an attacker to jailbreak and then remotely control an iOS device. It is a brilliantly engineered and unbelievably stealthy attack. Pegasus was discovered when a suspicious text was sent to a human rights activist based in the UAE named Ahmed Mansoor. The content of the text was sent to a non-profit technical organization that works with political dissidents, and this group then brought it to our partner Lookout for analysis.

Lookout’s report on the intrusion categorizes it as “the most sophisticated attack we’ve seen on any endpoint.” That’s a big statement from the world’s leading iOS security firm.

Since that point in time, Lookout has been the single source of authoritative information on this intrusion, as well as theonly organization that can detect it.

The analysis done by Lookout (you can read everything they’ve published about it here) has revealed that Pegasus is a software package that can be installed on jailbroken or rooted devices and it includes a suite of capabilities all centered around stealing any and all information on a phone (e.g. passwords, e-mails, texts, files) – with a specific emphasis on communication and collaboration apps. This captured information is then exported from the device and sent to the attacker’s cloud services in a way that is nearly impossible to detect.

The way this combination of carefully exploited unknown vulnerabilities and powerful software was executed seems a lot like the work of a commercial enterprise – and there’s good reason for this. The organization that built Trident/Pegasus is NSO Group – an Israeli startup that was acquired by the well-known VC fund Francisco Partners Management in 2010. NSO sells software to governments for the ostensible use of anti-terror monitoring. Governments buy this software on a per-license basis (Lookout notes that the price for Pegasus has been about $8 million for 300 licenses) and it comes complete with 24/7 support and software assurance – it even had volume discounts!

If this doesn’t blow your mind a little, just re-read that last paragraph. This is the very scary fruition of something that cyber-security experts have been heavily emphasizing for the last few years: The work behind corporate hacks, online theft, cyber espionage, and cyber-terrorism is a commercial business and not only an underground effort.

If you, as an organization, have intellectual property that is of interest to another company or a state organization, that company does not have to have the expertise to build a sophisticated attack like this – they just have to have the money to buy a license.

What We Should Learn from Trident/Pegasus

This has been a pretty startling wake-up call and a huge reminder that we are all under constant persistent attack, and that any and all platforms and apps have vulnerabilities. Over the last two years, I’ve had senior executives tell me countless times that they have unwavering implicit trust in the iOS platform. In these discussions it’s been pretty common to hear a comment like, “I don’t trust Android because it is like the wild, wild west – but I have tremendous trust in iOS because it is a controlled and procured ecosystem.” I’m not attempting to throw stones at Android or iOS – but there is a dilemma with this perspective. To be perfectly clear, the dilemma is this: I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can deliver the most secure operating system possible – but this fact also exists in our modern era of digital threats that produce consistent successful attacks despite the incredible efforts of the organizations building these platforms.

Much like when castles could no longer protect their inhabitants from modern attacks, we also have to think about how we protect ourselves in

modern ways. For a little more detail on this analogy, check out a story I told at Ignite about Bamburgh Castle – seenhere.

Ask yourself this question: “If I was orchestrating a cyber attack, would I target the PC population or the mobile device population?” Your answer probably covers a combination of the two, but consider a few things:

1) The high value targets in most organizations have multiple mobile devices – and this makes the number of mobile devices that can be targeted larger than the number of PCs.

2) If you can compromise and “own” a mobile device, you have access to just about every minute of that person’s day.

3) These individuals are doing corporate e-mail, texting, making phone calls, and reviewing files on these mobile devices – and by owning that device you have all of it.

Bottom line: Mobile devices are now every bit (if not much more) of a juicy target. It’s impossible to know where the bad actors are making the bulk of their forward looking investments, but I’m willing to bet that mobile has been their major area of focus in the past and for the foreseeable future.

This is a topic I covered in depth in my recent keynote at Ignite. The video below outlines the work we’ve done to natively engineer attack response features into Windows 10, Office 365, and EMS:

One more really interesting note about the Trident/Pegasus combo: This product is typically sold to smaller governments because top-tier governments (the G20, for example) all have their own cyber operations divisions and don’t need this type of 3rd party support. This fact leads you to consider what kind of capabilities those G20 countries may already have, as well as what those other governments have underway.

OK, So What Do You Do Now? Here Are Some Basic Areas for You to Focus

First: Always Assume Breach.

As I noted above, there are two kinds of organizations: Those who have been hacked and those who don’t know it yet. You could arguably add a third group of orgs who “Can’t tell if they’ve been breached” – and that’s a particularly bad position (and this is where AADP, ATA, and CAS can make a huge difference – as noted here in the Ignite keynote). When you are evaluating and then utilizing security solutions from your partners, you absolutely must assume breach and then have tools which allow you to identify these intrusions and take action.

The steps we’ve taken to help you identify and remediate are incredible; what we’ve built into the Microsoft Intelligent Security Graph offers a totally unique set of capabilities to help you here. The intelligence and functionality of the Graph is something I discussed in detail at Ignite, and you can watch my overview of it here.

One of the thing I encourage every customer to do right now is to begin using multi-factor authentication immediately. The majority of the successful attacks/breaches that we all read about come down to compromised user identities – and MFA is critical to blocking these (you can watch how this works here).

Second: Build Defense in Depth.

Even though you’re always assuming breach, you still want as many layers of defense as possible. You want to have multiple defenses deployed around your corporate identities, devices, applications, and data. The Microsoft Enterprise Mobility + Security suite comprehensively delivers theselayers of defense.

Third: Stay Current and Updated.

One question I hear a lot in customer meetings is, “How do I make sure my devices are the most secure, compliant, performant, and most compatible?” One of the easiest ways to do this is to keep up with the updates from OS vendors, as well as the management/security providers. Staying current is an easy part of staying secure.

Fourth: Think Holistically.

Any attacker – whether it’s on a battlefield, the internet, or in sports – is going to look for weak spots and then hit them hard. You need solutions that have been engineered to deliver an integrated defense – something with very, very few seams (none if possible!). Right now we are several years deep into our integration of Office 365 and EMS, on iOS, Android and Windows – and the integrated scenarios we are delivering provide you the end-to-end, holistic security required for this modern age of attacks.

For an example of approaching security holistically, check out this demo from Ignite that covers how we have integrated our advanced threat protection from Windows, Office 365 and EMS:

As with any defense, you shouldn’t put all your eggs in one basket, but you do need to have a broad and substantive foundation on which you can build everything else. I think Microsoft has made the most compelling case for providing the single best foundation for your organization.